Surveillance, monitoring and real-time events platform

ABSTRACT

Systems and methods according to the invention provide a surveillance, monitoring and real-time events platform to (i) enable the integration and communication of information between government agencies and organizations specifically tasked with ensuring the security and safety of our nation and its communities, (ii) to integrate information systems from federal, state and/or local agencies (from disparate data sources if necessary) in order to obtain a single, real-time view of the entire organization, and (iii) to extract more complete, actionable information from their existing systems, thereby dramatically improving decision making speed and accuracy.

This application claims the benefit of priority of U.S. ProvisionalPatent Application Ser. No. 60/485,200, filed Jul. 7, 2003, entitled“Surveillance, Monitoring and Real-Time Events Platform,” the teachingsof which are incorporated herein by reference. This application is acontinuation in part of and claims the benefit of priority of thefollowing copending, commonly-assigned patent applications, theteachings of all of which are incorporated herein by reference: U.S.patent application Ser. No. 10/680,049, filed Oct. 7, 2003, entitled“Methods and Apparatus for Identifying Related Nodes in a Directed GraphHaving Named Arcs” (now issued as U.S. Pat. No. 6,954,749); U.S.Provisional Patent Application Ser. No. 60/416,616, filed Oct. 7, 2002,entitled “Methods and Apparatus for Identifying Related Nodes in aDirected Graph Having Named Arcs”; U.S. patent application Ser. No.09/917,264, filed Jul. 27, 2001, entitled “Methods and Apparatus forEnterprise Application Integration” (now issued as U.S. Pat. No.7,058,637); U.S. Provisional Patent Application Ser. No. 60/291,185,filed May 15, 2001, entitled “Methods and Apparatus for EnterpriseApplication Integration”; U.S. patent application Ser. No. 10/051,619,filed Oct. 29, 2001, entitled “Methods and Apparatus for Real-TimeBusiness Visibility Using Persistent Schema-Less Data Storage” (nowissued as U.S. Pat. No. 6,856,992); U.S. Provisional Patent ApplicationSer. No. 60/324,037, filed Sep. 21, 2001, entitled “Methods andApparatus for Real-Time Business Visibility Using Persistent Schema-LessData Storage”; U.S. patent application Ser. No. 10/302,764, filed Nov.21, 2002, entitled “Methods and Apparatus for Querying a Relational DataStore Using Schema-Less Queries” now published as US 2003/015841 andissued as U.S. Pat. No. 6,925,457); U.S. Provisional Patent ApplicationSer. No. 60/332,053, filed Nov. 21, 2001, entitled “Methods andApparatus for Querying a Relational Database of RDF Triples in a Systemfor Real-Time Business Visibility”; U.S. Provisional Patent ApplicationSer. No. 60/332,219, filed Nov. 21, 2001, entitled “Methods andApparatus For Calculation and Reduction of Time-Series Metrics fromEvent Streams or Legacy Databases in a System for Real-Time BusinessVisibility”; U.S. patent application Ser. No. 10/302,727, filed Nov. 21,2002, entitled “Methods and Apparatus for Statistical Data Analysis andReduction for an Enterprise Application” (now issued as U.S. Pat. No.7,302,440); U.S. patent application Ser. No. 10/138,725, filed May 3,2002, entitled “Methods and Apparatus for Visualizing RelationshipsAmong Triples of Resource Description Framework (RDF) Data Sets” (nowpublished as U.S. Patent Publication No. 2003-0208499 A1).

BACKGROUND OF THE INVENTION

The invention pertains to surveillance, monitoring and real-time eventprocessing. It has application in public health & bioterrorism, borderand port security, public and community safety, and government dataintegration, to name a few.

Today, national, state, and local governments are challenged to achieveunprecedented levels of cooperation in and among agencies andorganizations charged with protecting the safety of communities. Many ofthese organizations use either proprietary or incompatible technologyinfrastructures that need to be integrated in order to providereal-time, critical information for effective event monitoring andcoordinated emergency response. Information must be sharedinstantaneously and among numerous entities to effectively identify andrespond to a potential threat or emergency-related event.

Significant efforts are underway along these lines, for example, in thepublic health and bioterrorism arena. The Centers for Disease Controland Prevention (CDC) of the U.S. Department of Health and Human Serviceshas launched several initiatives toward forming nationwide networks ofshared health-related information that, when fully implemented, willfacilitate the rapid identification of, and response to, health andbioterrorism threats. The CDC plans the Health Alert Network (HAN), forexample, to provide infrastructure supporting for distribution of healthalerts, disease surveillance, and laboratory reporting. The PublicHealth Information Network (PHIN) is another CDC initiative that willprovide detailed specifications for the acquisition, management,analysis and dissemination of health-related information, building uponthe HAN and other CDC initiatives, such as the National ElectronicDisease Surveillance System (NEDSS).

While these initiatives, and others like them in both health andnon-health-related fields, define functional requirements and setstandards for interoperability of the IT systems that hospitals,laboratories, government agencies and others will use in forming thenationwide networks, they do not solve the problem of finding dataprocessing equipment capable of meeting those requirements andstandards.

It is not uncommon for a single enterprise, such as a hospital, forexample, to have several separate database systems to track medicalrecords, patient biographical data, hospital bed utilization, vendors,and so forth. The same is true of the government agencies charged withmonitoring local, state and national health. In each enterprise,different data processing systems might have been added at differenttimes throughout the history of the enterprise and, therefore, representdiffering generations of computer technology. Integration of thesesystems at the enterprise level is difficult enough; it would beimpossible on any grander scale. This is a major impediment tosurveillance, monitoring and real-time events processing in publichealth and bioterrorism. Similar issues result in parallel problems inborder and port security, public and community safety, and governmentdata integration, is the consolidation of data from disparate databasesand other sources.

An object of this invention is to provide improved methods and apparatussurveillance, monitoring and real-time events processing.

A related object is to provide such methods and apparatus as can appliedin public health and bioterrorism, e.g., to facilitate CDC initiativesin this area.

A further object of the invention is to provide such methods andapparatus as can be applied border and port security, public andcommunity safety, and government data integration.

A still further object of the invention is to provide such methods andapparatus as can be implemented inexpensively, incrementally orotherwise without interruption of IT functions that they bring together.

SUMMARY OF THE INVENTION

To meet these challenges, systems and methods described herein provide asurveillance, monitoring and real-time events platform to (i) enable theintegration and communication of information between government agenciesand organizations specifically tasked with ensuring the security andsafety of our nation and its communities, (ii) to integrate informationsystems from federal, state and/or local agencies (from disparate datasources if necessary) in order to obtain a single, real-time view of theentire organization, and (iii) to extract more complete, actionableinformation from their existing systems, thereby dramatically improvingdecision making speed and accuracy.

The platform has application in a variety of areas, including, publichealth & bioterrorism, border and port security, public and communitysafety, and government data integration, to name a few.

Public Health & BioTerrorism

Effective and timely surveillance and monitoring of health-relatedevents is essential for early detection and management of a publichealth threats, whether a naturally occurring disease, such as West NileVirus, or a biological or chemical attack. State and local public healthofficials must have the ability to identify the specific nature andscope of an event and launch a tightly coordinated response, all inreal-time.

In one aspect of the invention, the surveillance, monitoring andreal-time events platform is adapted for use, e.g., as a local, state orfederal node, in a network conforming to the Public Health InformationNetwork (PHIN) initiative of the Centers for Disease Control andPrevention (CDC) of the U.S. Department of Health and Human Services, oras an infrastructure element of that network. This provides a real-timesolution that:

-   -   Delivers a dual purpose real-time syndromic surveillance system        covering both bioterrorism and targeted communicable diseases    -   Transforms data from a variety of protocols (CSV, EDI, Excel,        XML) into industry standard formats HL7 and HIPPA    -   Integrates disparate data systems (hospitals, labs, clinics,        pharmacies) from any format or location quickly and without        custom coding    -   Enables synchronous and asynchronous collaboration between        participating departments and personnel    -   Provides real-time customizable reporting and GIS mapping via        web-based graphical interface    -   Initiates and manages real-time notifications to first        responders and public health officials via web, email, phone,        wireless PDA and mobile phone    -   Complies with the CDC's NEDSS, HAN and PHIN architectures

Systems and methods according to this aspect of the invention aredesigned as for multi-purposes. They function as a real-timesurveillance system, a bioterrorism detection and response system and acollaborative network for distance learning and communication.

As the CDC develops standards and mandated reporting protocols such asthe National Electronic Disease Surveillance System (NEDSS), HealthAlert Network (HAN) and Public Health Information Network (PHIN), it isup to state and local health officials to understand these newrequirements and develop a system to comply. Systems and methodsaccording to this aspect of the invention are designed to satisfy allNEDSS, HAN and PHIN requirements and more. They provide a platformtechnology that is highly flexible and scaleable meaning that it canadapt and stay current with new requirements and specifications withminimal effort. This feature allows health agencies to add data systemsand functionality to the platform easily without impacting the currentarchitecture.

Border & Port Security

Border and port security represent complex security challenges. Thesesites represent vulnerable points of entry and require monitoring ofocean vessel arrivals and departures, assessing potentially hazardouscargo, responding to immigration challenges, terrorist threats andmanaging the proximity risk to civilians and land-based targets such asnuclear facilities, dams, power plants, gas lines, and other biologicaland chemical facilities. Due to the complex and porous nature of bordersand ports, many distinct organizations are required to work in closecooperation and effectively share critical information.

In one aspect of the invention, the surveillance, monitoring andreal-time events platform is adapted for border and port securityapplications, providing:

-   -   Real-time information in a secure web-based user interface    -   Providing a consolidated view of port security status by        integrating multiple agencies and organizations existing        information systems to appear as one, in real-time.    -   Integration of meteorological or other environmental information    -   GIS (geo-spatial mapping) for rapid local assessment and        visibility    -   Time-critical risk assessment based on local, state and federal        data sources    -   Scenario-based event management for medical, emergency and        public safety responders with immediate notifications to key        safety personnel

Public & Community Safety

Local law enforcement agencies are increasingly involved in complexpublic safety issues. Today, airports, construction sites, concerts, andother large, high-profile community events require greater levels ofsecurity, including biometric identification and other methods ofindividual scanning and surveillance. The surveillance, monitoring andreal-time events platform can be deployed in applications designed toidentify community threats or security breaches in a wide range ofsettings including inter-agency solutions for superior securitysurveillance and response. This platform provides:

-   -   Real-time reporting with secure web-based user interface        enabling a single view of a multi-agency operation    -   Integration of critical data from existing data sources (any        data in any format) to create better public safety information    -   GIS (geo-spatial mapping) for rapid local assessment and        visibility    -   Real-time risk assessment based on local, state and federal data        sources    -   Coordinated communication and immediate notifications to key        safety personnel and responders

Government Solution for Data Visibility

Government agencies are challenged with the daunting task of improvingagency-wide and inter-agency information flow and visibility, especiallyin today's volatile environment. True agency-wide information access forreal-time analysis is only achieved by being able to tie together allexisting disparate data sources, from any location, and offer aconsolidated view of critical information.

In one aspect of the invention, the surveillance, monitoring andreal-time events platform provides a single point of access to all statesecurity-related IT systems (Justice Dept, Law Enforcement, Dept ofHealth) to expedite identifying potential threats. The platform can alsoprovide information visibility across an organizations systems. Theplatform:

-   -   Leverages investments in existing IT infrastructure    -   Provides a single, comprehensive view of critical information        from all data sources    -   Provides a solution that is operational in a fraction of the        time a “traditional” data integration project would take.    -   Benefits from a flexible, scalable, interoperable platform        capable of integrating any agency's data sources for optimal        visibility and operational readiness

The aforementioned and other aspects of the invention are evident in thedrawings and in the description that follows.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing features of this invention, as well as the inventionitself, may be more fully understood from the following detaileddescription of the drawings in which:

FIG. 1 depicts a surveillance, monitoring and real-time events system100 according to the invention suitable for the adaptation to a publichealth & bioterrorism application, e.g., as part of PHIN, HAN orNEDSS-compatible networks;

FIG. 2A depicts an architecture for a hologram data store used in thesystem of FIG. 1;

FIG. 2B depicts the tables in a model store and a triples store of thehologram data store of FIG. 2A;

FIG. 3 depicts an expert engine to identify information in the datastore or from the other information in the system of FIG. 1; and

FIG. 4-16 depict a visual display used in the system of FIG. 1 to callalerts and other information to the attention of the user.

DETAILED DESCRIPTION OF THE ILLUSTRATED EMBODIMENT

FIG. 1 depicts a surveillance, monitoring and real-time events system100 according to the invention suitable for the adaptation to a publichealth & bioterrorism application, e.g., as part of PHIN, HAN or NEDSSnetworks. Illustrated system 100 represents a data processing station(or stations) resident at a node in such a network, such as, forexample, a clinical care provider, a laboratory, a local or state healthdepartment, the CDC headquarters, a local or national law enforcementoffice, or otherwise. Though the illustrated system is used in a publichealth & bioterrorism application, it will be appreciated that a similarsuch system can be applied in border & port security, public & communitysafety, and government data integration applications, described above,among others.

Illustrated system 100, which can be embodied in conventional digitaldata processing apparatus (including attendant processor(s), displayunits, storage units, and communications devices) of the typeconventional in the art, comprises connectors 108 that provide softwareinterfaces to legacy and other databases, data streams, and sources ofinformation—collectively, databases 140—in clinical care facilities orother entities (such as agency field offices or laboratories),organizations (such as a governmental agencies) or enterprises, such asthe PHIN network, the HAN network or otherwise. A “hologram” data store114 (hereinafter, “data store” or “hologram data store”), which iscoupled to the databases 140 via the connectors 108, stores data fromthose databases 140. A framework server 116 accesses the data store 114,presenting selected data to (and permitting queries from) a user browser118. The server 116 can also permit updates to data in the data store114 and, thereby, in the databases 140. These updates can include boththe addition of new data and the modification of old data.

In the illustration, databases 140 include a database 140 a maintainedwith a Sybase® database management system, a database 140 b maintainedwith an Oracle® database management system. The “databases” 140 alsoinclude a data stream 140 c providing information from other nodes 100b, 100 c, 100 d, 100 e, of the PHIN, HAN, NEDSS or other network 120.Those other nodes can be constructed and operated in the manner ofsystem 100 (as suggested in the illustration by their depiction usinglike silhouettes) or in any other manner consistent with PHIN, HAN,NEDSS or other network operations. The network 120 represents theInternet, wide area network or other medium or collection of media thatpermit the transfer of information (continuous, periodic or otherwise)between the nodes in a manner consistent with requirements of PHIN, HAN,NEDSS or other applicable network standards.

Of course, these are merely examples of the variety of databases orother sources of information with which methods and apparatus asdescribed herein can be used. Common features of illustrated databases140 are that they provide access to information of actual or potentialinterest to the node in which system 100 resides and that they can beaccessed via application program interfaces (API) or other mechanismsdictated by the PHIN, HAN, NEDSS or other applicable network.

Connectors 108 serve as interfaces to databases, streams and otherinformation sources 140. Each connector applies requests to, andreceives information from, a respective database, using that database'sAPI or other interface mechanism, e.g., as dictated by the PHIN, HAN orother otherwise. Thus, for example, connector 108 a applies requests todatabase 140 a using the corresponding SAP API; connector 108 b appliesrequests to database 140 b using the Oracle API; and connector 108 capplies requests to and/or receives information from the stream orinformation source 140 c use PHIN-appropriate, HAN-appropriate,NEDSS-appropriate or other stream or network-appropriate requests. Thus,by way of non-limiting example, the connector nector 108 c can generaterequests to the network 120 to obtain data from health care institutionsand other nodes on the network.

The requests can be simple queries, such as SQL queries and the like(e.g., depending on the type of the underlying database and its API) ormore complex sets of queries, such as those commonly used in datamining. For example, one or more of the connectors can use decisiontrees, statistical techniques or other query and analysis mechanismsknown in the art of data mining to extract information from thedatabases. Specific queries and analysis methodologies can be specifiedby the hologram data store 114 or the framework server 116 forapplication by the connectors. Alternatively, the connectors themselvescan construct specific queries and methodologies from more generalqueries received from the data store 114 or server 116. For example,request-specific items can be “plugged” into query templates therebyeffecting greater speed and efficiency.

Regardless of their origin, the requests can be stored in the connectors108 for application and/or reapplication to the respective databases 108to provide one-time or periodic data store updates. Connectors can useexpiration date information to determine which of a plurality of similardata to return to the data store, or if dates are absent, the connectorscan mark returned data as being of lower confidence levels.

In a system 100 according to the invention used as part of the PHINnetwork, the connector 108 c (and/or other functionality not shown)provides for the automated exchange of data between public healthpartners, as required of nodes in the PHIN network. Thus the connectornector 108 c (and/or other functionality) comprises an ebXML compliantSOAP web service that can be reached via an HTTPS connection afterappropriate authentication and comprises, or is coupled to, an HTTPSport. It also supports messaging in the industry standard requisiteformats and message content specified by the PHIN standard. Theconnector 108 c also provides for translation of messages received fromthe network 120 into a format compatible with the NEDSS and/or otherrequisite data models specified by the PHIN standards for storage in thedata store 114 as detailed further below. And, the connector 108 c (orother functionality) facilitates the exchange and management of specimenand lab result information, as required under the PHIN standard. Systems100 according to the invention used as part of HAN or NEDSS-compatiblenetworks provide similar functionality, as particularly required underthose initiatives.

Data and other information (collectively, “messages”) generated by thedatabases, streams and other information sources 140 in response to therequests are routed by connectors to the hologram data store 114. Thatother information can include, for example, expiry or other adjectivaldata for use by the data store in caching, purging, updating andselecting data. The messages can be cached by the connectors 108,though, they are preferably immediately routed to the store 114.

Information updates entered, for example, by a user who is accessing thestore 114 via a server 116 and browser 118, are transmitted by server116 to data store 114. There, any triples implicated by the change arecreated or changed in store 114C, as are the corresponding RDF documentobjects in store 114A. An indication of these changes can be forwardedto the respective databases, streams or other information sources 140via the connectors 108, which utilize the corresponding API (or otherinterface mechanisms) to alert those sources 140 of updates. Likewise,changes made directly to the store 114C, e.g., using a WebDAV client orotherwise, can be forwarded by the connector 108 to the respectivesources 140.

The hologram data store 114 stores data from the databases 140 (and fromthe framework server 116, as discussed below) as RDF triples. The datastore 114 can be embodied on any digital data processing system orsystems that are in communications coupling (e.g., as defined above)with the connectors 108 and the framework server 116. Typically, thedata store 114 is embodied in a workstation or other high-end computingdevice with high capacity storage devices or arrays, though, this maynot be required for any given implementation.

Though the hologram data store 114 may be contained on an opticalstorage device, this is not the sense in which the term “hologram” isused. Rather, it refers to its storage of data from multiple sources(e.g., the databases 140) in a form which permits that data to bequeried and coalesced from a variety of perspectives, depending on theneeds of the user and the capabilities of the framework server 116.

To this end, a preferred data store 114 stores the data from thedatabases 140 in subject-predicate-object form, e.g., RDF triples,though those of ordinary skill in the art will appreciate that otherforms may be used as well, or instead. By way of background, RDF is away of expressing the properties of items of data. Those items arereferred to as subjects. Their properties are referred to as predicates.And, the values of those properties are referred to as objects. In RDF,an expression of a property of an item is referred to as a triple, aconvenience reflecting that the expression contains three parts:subject, predicate and object.

Listed below is a portion of a data set of the type with which theinvention can be practiced. The listing contains RDF triples, here,expressed in extensible markup language (XML) syntax. Those skilled inthe art will, of course, appreciate that RDF triples can be expressed inother syntaxes and that the teachings hereof are equally applicable tothose syntaxes. Further, the listing shows only a sampling of thetriples in a data store 114, which typically would contain tens ofthousands or more of such triples.

<rdf:RDF...xmlns=”http://www.metatomix.com/postalCode/1.0#><rdf:Description rdf:about=”postal://zip#02886”>  <town>Warwick</town> <state>RI</state>  <country>USA</country>  <zip>02886</zip><rdf:Description>  <rdf:Description rdf:about=”postal://zip#02901”> <town>Providence</town>  <state>RI</state>  <country>USA</country> <zip>02901</zip> </rdf:Description>

Subjects are indicated within the listing using a “rdf:about” statement.For example, the second line of the listing defines a subject as aresource named “postal://zip#02886.” That subject has predicates andobjects that follow the subject declaration. One predicate, <town>, isassociated with a value “Warwick”. Another predicate, <state>, isassociated with a value “RI”. The same follows for the predicates<country> and <zip>, which are associated with values “USA” and “02886,”respectively. Similarly, the listing shows properties for the subject“postal://zip#02901,” namely, <town> “Providence,” <state> “RI,”<country> “US” and <zip> “02901.”

In the listing, the subjects and predicates are expressed as uniformresource indicators (URIs), e.g., of the type defined in Berniers-Lee etal, Uniform Resource Identifiers (URI): Generic Syntax (RFC2396) (August1998), and can be said to be expressed in a form<scheme>://<path>#<fragment>. For the subjects given in the example,<scheme> is “postal,” <path> is “zip,” and <fragment> is, for example,“02886” and “02901.”

The predicates, too, are expressed in the form<scheme>://<path>#<fragment>, as is evident to those in ordinary skillin the art. In accord with XML syntax, the predicates in lines two, etseq., of the listing must be interpreted as suffixes to the stringprovided in the namespace directive“xmlns=http://www.metatomix.com/postalCode/1.0#” in line one of thelisting. This results in predicates that are formally expressed as:“http://www.metatomix.com/postalCode/1.0#town,”“http://www.metatomix.com/postalCode/1.0#state,”“http://www.metatomix.com/postalCode/1.0#country” and“http://www.metatomix.com/postalCode/1.0#zip.”

Hence, the <scheme> for the predicates is “http” and <path> is“www.metatomix.com/postalCode/1.0.” The <fragment> portions are <town>,<state>, <country> and <zip>, respectively. It is important to note thatthe listing is in some ways simplistic in that each of its objects is aliteral value. Commonly, an object may itself be another subject, withits own objects and predicates. In such cases, a resource can be both asubject and an object, e.g., an object to all “upstream” resources and asubject to all “downstream” resources and properties. Such “branching”allows for complex relationships to be modeled within the RDF tripleframework.

FIG. 2A depicts an architecture for a preferred hologram data store 114according to the invention. The illustrated store 114 includes a modeldocument store 114A and a model document manager 114B. It also includesa relational triples store 114C, a relational triples store manager114D, and a parser 114E interconnected as shown in the drawing.

As indicated in the drawing, RDF triples maintained by the store 114 arereceived—from the databases 140 (via connectors 108) and/or fromtime-based data reduction module 150 (described below)—in the form ofdocument objects, e.g., of the type generated from a Document ObjectModel (DOM) in a JAVA, C++ or other application. In the illustratedembodiment, these are stored in the model document store 114A as such(i.e., document objects) particularly, using the tables and inter-tablerelationships shown in FIG. 1B (see dashed box labelled 114B).

The model document manager 114B manages storage/retrieval of thedocument object to/from the model document store 114A. In theillustrated embodiment, the manager 114B comprises the Slide contentmanagement and integration framework, publicly available through theApache Software Foundation. It stores (and retrieves) document objectsto (and from) the store 114A in accord with the WebDAV protocol. Thoseskilled in the art will, of course, appreciate that other applicationscan be used in place of Slide and that document objects can bestored/retrieved from the store 114A in accord with other protocols,industry-standard, proprietary or otherwise.

However, use of the WebDAV protocol allows for adding, updating anddeleting RDF document objects using a variety of WebDAV client tools(e.g., Microsoft Windows Explorer, Microsoft Office, XML Spy or othersuch tools available from a variety of vendors), in addition to adding,updating and deleting document objects via connectors 108 and/ortime-based data reduction module 150. This also allows for presentingthe user with a view of a traversable file system, with RDF documentsthat can be opened directly in XML editing tools or from Java programssupporting WebDAV protocols, or from processes on remote machines viaany HTTP protocol on which WebDAV is based.

RDF triples received by the store 114 are also stored to a relationaldatabase, here, store 114C, that is managed and accessed by aconventional relational database management system (RDBMS) 114D,operating in accord with the teachings hereof. In that database, thetriples are divided into their constituent components (subject,predicate, and object), which are indexed and stored to respectivetables in the manner of a “hashed with origin” approach. Whenever an RDFdocument is added, updated or deleted, a parser 114E extracts itstriples and conveys them to the RDBMS 114D with a correspondingindicator that they are to be added, updated or deleted from therelational database. Such a parser 114E operates in the conventionalmanner known in the art for extracting triples from RDF documents.

The illustrated database store 114C has five tables interrelated asparticularly shown in FIG. 2B (see dashed box labelled 114C). Ingeneral, these tables rely on indexes generated by hashing the triples'respective subjects, predicates and objects using a 64-bit hashingalgorithm based on cyclical redundancy codes (CRCs)—though, it will beappreciated that the indexes can be generated by other techniques aswell, industry-standard, proprietary or otherwise.

Referring to FIG. 2B, the “triples” table 534 maintains one record foreach stored triple. Each record contains an aforementioned hash code foreach of the subject, predicate and object that make up the respectivetriple, along with a resource flag (“resource_flg”) indicating whetherthat object is of the resource or literal type. Each record alsoincludes an aforementioned hash code (“m_hash”) identifying the documentobject (stored in model document store 114A) from which the triple wasparsed, e.g., by parser 114E.

In the illustrated embodiment, the values of the subjects, predicatesand objects are not stored in the triples table. Rather, those valuesare stored in the resources table 530, namespaces table 532 and literalstable 536. Particularly, the resources table 530, in conjunction withthe namespaces table 532, stores the subjects, predicates andresource-type objects; whereas, the literals table 536 stores theliteral-type objects.

The resources table 530 maintains one record for each unique subject,predicate or resource-type object. Each record contains the value of theresource, along with its aforementioned 64-bit hash. It is the latter onwhich the table is indexed. To conserve space, portions of those valuescommon to multiple resources (e.g., common <scheme>://<path>identifiers) are stored in the namespaces table 532. Accordingly thefield, “r_value,” contained in each record of the resources table 530reflects only the unique portion (e.g., <fragment> identifier) of eachresource.

The namespaces table 532 maintains one record for each unique commonportion referred to in the prior paragraph (hereinafter, “namespace”).Each record contains the value of that namespace, along with itsaforementioned 64-bit hash. As above, it is the latter on which thistable is indexed.

The literals table 536 maintains one record for each unique literal-typeobject. Each record contains the value of the object, along with itsaforementioned 64-bit hash. Each record also includes an indicator ofthe type of that literal (e.g., integer, string, and so forth). Again,it is the latter on which this table is indexed.

The models table 538 maintains one record for each RDF document objectcontained in the model document store 114A. Each record contains the URIof the corresponding document object (“uri_string”), along with itsaforementioned 64-bit hash (“m_hash”). It is the latter on which thistable is indexed. To facilitate associating document objects identifiedin the models table 538 with document objects maintained by the modeldocument store 114A, each record of the models table 538 also containsthe ID of the corresponding document object in the store 114A. That IDcan be assigned by the model document manager 114B, or otherwise.

From the above, it can be appreciated that the relational triples store114C is a schema-less structure for storing RDF triples. As suggested byMelnik, an author well known to those skilled in the art of RDF and SQL,triples maintained in that store can be reconstituted via an SQL query.For example, to reconstitute the RDF triple having a subject equal to“postal://zip#02886”, a predicate equal to“http://www.metatomix.com/postalCode/1.0#town”, and an object equal to“Warwick”, the following SQL statement is applied:

SELECT m.uri_string, t.resource_flg,    concat (n1.n_value, r1.r_value)as subj,    concat (n2.n_value, r2.r_value) as pred,    concat(n3.n_value,r3.r_value),    1.1_value FROM triples t, models m,resources r1, resources r2, namespaces n1, namespaces n2    LEFT JOINliterals 1 on t.object=1.1_hash    LEFT JON resources r3 ont.object=r3.r_hash    LEFT JOIN namespaces n3 on r3.r_value=n3.n_valueWHERE t.subject=r1.r_hash AND r1.n_hash=n1.n_hash AND     t.predicate=r2.r_hash AND r2.n_hash=n2.n_hash AND     m.uri_id=t.m_hash AND t.subject=hash(“postal://zip#02886”) AND     t.predicate=hash(‘http://www.metatomix.com/postalcode/1.0#town’)AND      t.object=hash(‘warwick’)

Those skilled in the art will, of course, appreciate that RDF documentsand, more generally, objects maintained in the store 114 can becontained in other stores—structured relationally, hierarchically orotherwise—as well, in addition to or instead of stores 114A and 114C.

In a system 100 according to the invention used as part of the PHINnetwork, the maintenance of data in the store 114 is accomplished in amanner compatible with the applicable PHIN standards, e.g., for the useof electronic clinical data for event detection. Thus, for example, datastorage is compatible with the applicable logical data model(s), canassociate incoming data with appropriate existing data (e.g., a reportof a disease in a person who had another condition previously reported),permits potential cases should be “linked” and traceable from detectionvia electronic sources of clinical data or manual entry of potentialcase data through confirmation via laboratory result reporting, andpermits data to be accessed for reporting, statistical analysis,geographic mapping and automated outbreak detection algorithms, and soforth, all as required under the PHIN standards and further discussedbelow. Whether maintained in the data store 114, or otherwise, a system100 according to the invention used as part of the PHIN network,provides directories of public health and clinical personnel accessibleas required under the PHIN standards. Systems 100 according to theinvention used as part of HAN or NEDSS-compatible networks providesimilar functionality, as particularly required under those initiatives.

Referring to FIG. 2A, the relational triples store manager 1 14Dsupports SQL queries such as the one exemplified above (for extracting atriple with the subject “postal://zip#02886”, the predicate“http://www.metatomix.com/postalCode/1.0#town”, and the object“Warwick”), in the manner described in commonly assigned U.S. patentapplication Ser. No. 10/302,764, filed Nov. 21, 2002, entitled METHODSAND APPARATUS FOR QUERYING A RELATIONAL DATA STORE USING SCHEMA-LESSQUERIES, now published as US Patent Application Publication No.2003/0158841 and PCT WO 03044634 (Application WO2002US0037729), theteachings of which are incorporated herein by reference (see,specifically, for example, FIG. 3 thereof and the accompanying text),and a copy of which may be attached as an appendix hereto (and, if so,as Appendix A).

The data store 114 can likewise include time-wise data reductioncomponent of the type described in commonly assigned U.S. patentapplication Ser. No. 10/302,727, filed Nov. 21, 2002, entitled METHODSAND APPARATUS FOR STATISTICAL DATA ANALYSIS AND REDUCTION FOR ANENTERPRISE APPLICATION, now published as US Patent ApplicationPublication No. 2003/0158851 and PCT WO 03046769 (ApplicationW02002US0037727), the teachings of which are incorporated herein byreference (see, specifically, for example, FIG. 3 thereof and theaccompanying text), a copy of which may be attached as an appendixhereto (and, if so, as Appendix B), to perform a time-wise reduction ondata from the database, streams or other sources 140.

According to one practices of the invention, data store 114 includes agraph generator that uses RDF triples to generate directed graphs inresponse to queries made—e.g., by a user accessing the store via thebrowser 118 and server 116, by a surveillance, monitoring and real timeevents application executing on the server 116 or in connection with thebrowser 118, by another node on the network 120 and receivedelectronically or otherwise, or made otherwise—for information reflectedby triples originating from data in one or more of the databases,streams or other sources 140. Such generation of directed graphs fromtriples can be accomplished in any conventional manner known the art(e.g., as appropriate to RDF triples or other manner in which theinformation is stored) or, preferably, in the manner described inco-pending, commonly assigned U.S. patent application Ser. No.10/138,725, filed May 3, 2002, entitled METHODS AND APPARATUS FORVISUALIZING RELATIONSHIPS AMONG TRIPLES OF RESOURCE DESCRIPTIONFRAMEWORK (RDF) DATA SETS, now published as US Patent ApplicationPublication No. 2003/0208499 and PCT WO 03094142A1 (ApplicationW02003US0012479), and U.S. Patent Application Ser. No. 60/416,616, filedOct. 7, 2002, entitled METHODS AND APPARATUS FOR IDENTIFYING RELATEDNODES IN A DIRECTED GRAPH HAVING NAMED ARCS, now published as PCT WO04034625 (Application W02003US0031636) and issued as U.S. Pat. No.6,954,749, a copy of which may be attached as an appendix hereto (and,if so, as Appendix C), the teachings of both of which are incorporatedherein by reference. Directed graphs so generated can be passed back tothe server 116 for presentation to the user via browser 118, they can be“walked” by the server 116 to identify specific information responsiveto queries, or otherwise.

Alternatively, or in addition, to the graph generator, the data store114 can utilize genetic, self-adapting, algorithms to traverse the RDFtriples in response to such queries. To this end, the data storeutilizes a genetic algorithm that performs several searches, eachutilizing a different methodology but all based on the underlying queryfrom the framework server, against the RDF triples. It compares theresults of the searches quantitatively to discern which produce(s) thebest results and reapplies that search with additional terms or furthergranularity.

In some practices of the invention, surveillance, monitoring andreal-time events applications executing on the connectors 108, theserver 116, the browser and/or the data store 114 utilize an expertengine-based system 8 of the type shown in FIG. 3 to identifyinformation in the data store 114 and/or from sources 140 responsive toqueries and/or otherwise for presentation via browser 118, e.g., in theform of alerts, reports, or otherwise. The information so identifiedcan, instead or in addition, form the basis of further processing, e.g.,by such surveillance, monitoring and real-time events applications, inthe form of broadcasts or messages to other nodes in the network 120, orotherwise, consistent with requirements of PHIN, HAN or other applicablestandards.

Thus, for example, in a system 100 adapted for use in a node on thePHIN, the system 8 can be used to process data incoming from the sources140 to determine whether it should be ignored, stored, logged for alertor classified otherwise. Data reaching a certain classification limit,moreover, can be displayed via the browser 118 and, more particularly,the dashboard discussed below, e.g., along with a map of the state,country or other relevant geographic region and/or along with othersimilar data.

Alternatively, in a system 100 adapted for use in a NEDSS compliantnode, the expert engine-based system 8 can be used to detect the numbersof instances occurring over time and, if the number exceeds a threshold,to generate a report, e.g., for display via a dashboard window, orgenerate alert messages for transfer over the network 120 to targetedpersonnel (e.g., as identified by action of further rules or otherwise).In such a system 100, the expert engine can also be used to subset dataused for display or reporting in connection with the collaborativefunction, e.g., specified under the CDC's HAN guidelines.

Referring to FIG. 3, the system 8 includes a module 12 that executes aset of rules 18 with respect to a set of facts 16 representing criteriain order to (i) generate a subset 20 of a set of facts 10 representingan input data set, (ii) trigger a further rule, and/or (iii) generate analert, broadcast, message, or otherwise. For simplicity, in thediscussion that follows the set of facts 16 representing criteria arereferred to as “criteria” or “criteria 16,” while the set of facts 10representing data are referred to as “data” or “data 10.”

Illustrated module 12 is an executable program (compiled, interpreted orotherwise) embodying the rules 18 and operating in the manner describedherein for identifying subsets of directed graphs. In the illustratedembodiment, module 12 is implemented in Jess (Java Expert System Shell),a rule-based expert system shell, commercially available from SandiaNational Laboratories. However it can be implemented using any other“expert system” engine, if-then-else network, or other software,firmware and/or hardware environment (whether or not expertsystem-based) suitable for adaptation in accord with the teachingshereof.

The module 12 embodies the rules 18 in a network representation 14,e.g., an if-then-else network, or the like, native to the Jessenvironment. The network nodes are preferably executed so as to effectsubstantially parallel operation of the rules 18, though they can beexecuted so as to effect serial and/or iterative operation as well or inaddition. In other embodiments, the rules are represented in accord withthe specifics of the corresponding engine, if-then-else network, orother software, firmware and/or hardware environment on which theembodiment is implemented. These likewise preferably effect parallelexecution of the rules 18, though they may effect serial or iterativeexecution instead or in addition.

The data set 10 can comprise any directed graph, e.g., a collection ofnodes representing data and directed arcs connecting nodes to oneanother, though in the illustrated embodiment it comprises RDF triplescontained in the data store 114 and/or generated from informationreceived from the sources 140 via connectors 108. Alternatively, or inaddition, the data set can comprise data structures representing a metadirected graph of the type disclosed in co-pending, commonly assignedU.S. patent application Ser. No. 10/138,725, filed May 3, 2002, entitledMETHODS AND APPARATUS FOR VISUALIZING RELATIONSHIPS AMONG TRIPLES OFRESOURCE DESCRIPTION FRAMEWORK (RDF) DATA SETS, e.g., at FIG. 4A-6B andaccompanying text, all of which incorporated herein by reference.

Criteria 16 contains expressions including, for example, literals,wildcards, Boolean operators and so forth, against which nodes in thedata set are tested. In embodiments that operate on RDF data sets, thecriteria can specify subject, predicate and/or object values or otherattributes. In embodiments that operate on directed graphs of othertypes other appropriate values and attributes may be specified. Thecriteria can be input by a user, e.g., via browser 118, e.g., on an adhoc basis. Alternatively or in addition, they can be generated bysurveillance, monitoring and real-time events applications executing onthe connectors 108, the server 116, the browser and/or the data store114.

Rules 18 define the tests for identifying data in the data set 20 thatmatch the criteria or, where applicable, are related thereto. These areexpressed in terms of the types and values of the data items as well astheir interrelationships or connectedness. By way of example, a set ofrules applicable to a data set comprised of RDF triples for identifyingtriples that match or are related to the criteria are disclosed inaforementioned incorporated by reference U.S. patent application Ser.No. 60/416,616, filed Oct. 7, 2002, entitled METHODS AND APPARATUS FORIDENTIFYING RELATED NODES IN A DIRECTED GRAPH HAVING NAMED ARCS, nowissued as U.S. Pat. No. 6,954,749 (see, Appendix C hereof). Thoseskilled in the art will, of course, appreciate that different rules maybe applicable depending on the nature and focus of the informationsought by any given surveillance, monitoring and real-time eventsapplication and that construction of such rules is within the ken ofthose skilled in the art based on the teachings hereof.

Referring to back to FIG. 3, the data 20 output or otherwise generatedby module 12 represents those triples matching (or, where applicable,related) to the criteria as determined by exercise of the rules. Thedata 20 can be output as triples or some alternate form, e.g., pointersor other references to identified data within the data set 10, dependingon the needs of the surveillance, monitoring and real-time eventsapplication that invoked the system 8. As noted above, instead of or inaddition to outputting data 20, the module 12 triggers execution offurther rules, generate alerts, broadcasts, messages, or otherwise,consistent with requirements of PHIN, HAN or other applicable standards.

The framework server 116 presents information from the data store 114and/or sources 140 via browser 118. This can be based on requestsentered directly by the user directly, e.g., in response toselections/responses to questions, dialog boxes or other user-inputcontrols generated by a surveillance, monitoring and real-time eventsapplication executing on the server 116 or in connection with thebrowser 118. It can also be based, for example, on information obtainedfrom the database 114 and/or sources 140 by the expert engine-basedsystem 8 described above.

A further understanding of the operation of the framework server 116 maybe attained by reference to the appendix filed with U.S. patentapplication Ser. No. 09/917,264, filed Jul. 27, 2001, now published asUS Patent Application Publication No. 2002/0178170 and PCT WOO02093319A2and EP 1405219A2 (Application EP2002000741711), and entitled METHODS ANDAPPARATUS FOR ENTERPRISE APPLICATION INTEGRATION, which appendix isincorporated herein by reference.

According to one practice of the invention, a surveillance, monitoringand real-time events application includes a “dashboard” with displaywindows or panels that provide comprehensive real-time displays ofinformation gathered from the data store 114 or other sources 140, aswell as “alerts” resulting from anomalous situations detected by thesurveillance, monitoring and real-time events application. The dashboardand alerts can be generated by an application executing on the server116 and/or the browser 118 or otherwise.

Surveillance, monitoring and real-time events dashboards can displayinformation and alerts that are specific to predefined categories, suchas boarder and port security, health and bioterrorism, or public andcommunity safety. These can be configured by users to displayinformation from ad hoc combinations of data sources and user-definedalerts. For the purpose of describing the structure and operation of thesurveillance, monitoring and real-time events dashboards, reference willbe made to two representative examples (boarder/port security andhealth/bioterrorism), although these descriptions apply to otherpredefined and user-defined categories of information.

FIG. 4 illustrates a border/port security dashboard 400. The dashboarddisplays several panels 402, 404, 406, 408, 410, 412 and 414. Panel 402can be used to display information relating to an alert, if one has beenissued by the surveillance, monitoring and real-time events applicationor by an external system. Panel 402 is described in more detail below.Each panel 404-414 displays information from a particular data source oran aggregation of data from several data sources. For example, panel 404can contain real-time radar data from the US Coast Guard superimposed ona satellite image of Boston's inner harbor. The panel 404 display can beaugmented with other Coast Guard data. For example, global positioningsystem (GPS) data from US Coast Guard vessels and vehicles (collectively“units”) can be used to identify and then look up information related tothese units. The unit identities can be superimposed on the imagedisplayed in panel 404, as shown at 416, 418 and 420. Double-clicking onone of these units can cause the surveillance, monitoring and real-timeevents application to display information about the unit. Thisinformation can include, for example, contact information (e.g.frequency, call sign, name of person in charge, etc.), capabilities(e.g. maximum speed, crew size, weaponry, fire-fighting equipment, etc.)and status (e.g. docked, patrolling, busy intercepting a vessel, etc.).

Panel 406 can contain real-time data from a port authority superimposedon a map of the inner harbor. Note that port authority data can includeinformation related to the inner harbor that is different thaninformation provided by the US Coast Guard. For example, the portauthority data can include information on vessels traveling or dockedwithin the inner harbor. Furthermore, the port authority data can relateto more than just the inner harbor. For example, the port authority datacan include information related to an airport and a rail yard.

Other panels 410 and 412 can display information from other datasources, such as US Customs and local or state police. Panel 408displays a current Homeland Security Advisory System threat level. Panel414 displays contact information for agencies, such as the US CoastGuard, US Customs, port authority and state police, that might beinvoked in case of an alert.

A user can double-click on any panel to display a separate windowcontaining the panel. By this mechanism, the user can enlarge any panel.In addition, through appropriate mouse or keyboard commands, the usercan zoom in on a portion of the image displayed by a panel. For example,the user can select a point on the panel display to re-center thedisplay to the selected point and zoom in on that point. Alternatively,the user can select a rectangular portion of the panel display using a“rubber band” cursor and instruct the system to fill the entire panelwith the selected portion. FIG. 5 illustrates an example of such awindow 500 displaying the port authority panel 406 of FIG. 4. A usercan, for example, double-click on a vessel 502 to display informationabout the vessel. FIG. 6 illustrates an example of a pop-up window 600that displays information about the selected vessel.

Although panels 402-414 contain graphical displays, other panels (notshown) can contain textural or numeric data. For example, panelscontaining shipping schedules, airline schedules, port volumestatistics, recent headlines, weather forecasts, etc. can be availablefor display. Of course, other graphical panels, such as currentmeteorological data for various portions of the world, can also beavailable. The surveillance, monitoring and real-time events applicationcan make available more panels than can be displayed at one time on thedashboard 400 (FIG. 4). The dashboard 400 can display a default set ofpanels, such as panels 404-414. Optionally, the user can select whichpanels to display in the dashboard 400, as well as arrange the panelswithin the dashboard and control the size of each panel. If it is deemeddesirable to display more panels than can be displayed at one time, someor all of the desired panels can be displayed on a round-robin basis.

In addition to allowing users to select items on panels to obtainfurther information about these items, the surveillance, monitoring andreal-time events application can include rules and/or heuristics toautomatically detect anomalies and alert users to these anomalies(hereinafter referred to as “alerts”). As a result of one of thesealerts, the surveillance, monitoring and real-time events applicationpreferably can select one or more panels containing particularlyrelevant information and display or enlarge those panels. The selectedpanels need not be ones that the user could select. For example, thesurveillance, monitoring and real-time events application can create anew panel that, includes a combination of data from several sources, thesources being selected by rule(s) that caused the alert to be issued.

The following example illustrates how an alert can be issued. As shownin FIG. 7, the inner harbor can be partitioned into shipping lanes 700and 702. The surveillance, monitoring and real-time events applicationcan include rules describing permitted, required and/or prohibitedbehavior of vessels in these shipping lanes 700 and 702. Some rules canapply to all vessels. Other rules can apply to only certain vessels, forexample according to the vessels' types, cargos, speeds, country ofregistry, as well as according to data unrelated to the vessels, such astime of day, day of week, season, Homeland Security Advisory Systemthreat level, amount of other harbor traffic or amount or schedule ofnon-harbor traffic, such as aircraft at an adjacent airport. Other rulescan apply to docked vessels, vessels under tow, etc. Similarly, rulescan apply to aircraft, vehicles, or any measurable quantity, such as airquality in a subway station, seismic data, voltage in a portion of apower grid or vibration in a building, bridge or other structure. Rulescan also apply to data entered by humans, such as the number of reportedcases of food poisoning or quantities of antibiotics prescribed, orderedor on hand during a selected period of time.

Under normal circumstances, i.e. when no alerts are pending, thedashboard 400 (FIG. 4) displays a default set of panels or a set ofpanels selected by the user, as previously described. If, for example,the previously mentioned tanker vessel 502 (FIG. 7) carrying a hazardouscargo, such as liquefied natural gas (LNG), deviates 704 from aprescribed course, the surveillance, monitoring and real-time eventsapplication can issue an alert. Note that rules for vessels carryinghazardous cargos can be different than for vessels carryingnon-hazardous cargos. In addition, other vessels can trigger the alert.For example, if the LNG tanker 502 is traveling within its prescribedcourse, but a high-speed vessel (not shown) or an aircraft is on acollision course with the LNG tanker, the surveillance, monitoring andreal-time events application can issue an alert.

As a result of the alert, the surveillance, monitoring and real-timeevents application displays the alert panel 402 (FIG. 4) and an alertmessage 422. In this case, the alert panel 402 displays a zoomed-inportion of the port authority panel 406. In addition, the surveillance,monitoring and real-time events application can automatically notify apredetermined list of people or agencies. The particular people oragencies can depend on factors, such as the time of day or the day ofthe week of the alert. Optionally, the surveillance, monitoring andreal-time events application can notify other users at other nodes, suchas nodes 100 b, 100 c, 100 d and/or 100 e (FIG. 1). Informationdisplayed on dashboards (not shown) at these other nodes 100 b-e neednot be the same as information displayed on the dashboard 400. Inparticular, the information displayed on these other nodes 100 b-e canbe more or less detailed than the information displayed on the dashboard400. For example, summary information, such as an icon displayed on amap of the United States, can be displayed at command/control node toindicate an alert in Boston, without necessarily displaying all detailsrelated to the alert. A user at the command/control node candouble-click on the icon to obtain more detailed information.

FIGS. 8-16 illustrate an exemplary dashboard that can be used in ahealth and bioterrorism context. FIG. 8 illustrates a dashboard 800 thatcontains several panels 802, 804, 806, 808 and 810. Panel 802 contains amap of the United States with icons 812, 814, 816 indicating locationsof three alerts. Panel 804 contains emergency contact information thatis relevant to the alerts. Panel 806 contains hyperlinks to discussionforums, in which agency representatives and other authorized groups andpeople can post messages and replies, as is well known in the art. Panel808 contains hyperlinks to information that is relevant to the alerts.Panel 810 displays the current Homeland Security Advisory System threatlevel. These panels will be described in more detail below.

In this example, the icons 812, 814 and 816 represent medical careproviders that have experienced noteworthy events or levels of activity.As previously described, an alert can be issued if, for example, thenumber of cases of disease, such as influenza, exceeds a predeterminedthreshold. In this example, Provider 3 has encountered patients withpneumonia that does not respond to antibiotics. The other alerts couldrelate to other anomalous events or levels of activity. Clicking theicon 816 causes the system to display information 818 related to theselected alert. Clicking on a link 820 causes the system to display moredetailed information about the alert. For example, FIG. 9 illustratestwo panels 902 and 904, as well as a user selection area 906, that canbe displayed. Panel 902 contains a more detailed map of the area inwhich the event occurred. Panel 904 list the number of cases by zip codeof the patients. User selection area 906 enables the user to select oneor more of the alerts, thereby selecting or aggregating data from theselected provider(s) for display in panels 902 and 904.

Returning for a moment to FIG. 8, panel 804 contains icons forgovernment agencies and other individuals or organizations (collectively“responders”) that might be called upon to respond to manage abiological, nuclear, foodborne or other situations identified by theexpert engine-based system 8 (e.g., as where the number of instancesmatching a specified critereon exceeds a threshold). Clicking link 822displays a window containing emergency contact information for theseresponders, as shown in FIG. 10 at 1000. Panel 1002 contains severalemergency callout options, by which the user can manage the alerts. Forexample, clicking “Message Board” link 1004 displays a window containingmessages posted in relation to this alert, as shown in FIG. 11 at 1100.This message board enables users and responders to communicate with eachother in relation to the alert. An “Initiate a new Callout” link 1102enables the user to initiate a new situation, as shown in FIG. 12.

In response to an alert, the surveillance, monitoring and real-timeevents application automatically performs searches of the Internet andresponder intranets for information relevant to the alert. As previouslymentioned, panel 808 (FIG. 8) contains hyperlinks to information that isrelevant to the alerts, including results from these searches andpredefined information sources that have been identified as relevant.The surveillance, monitoring and real-time events application can, forexample, have a database of information sources catalogued according toalert type. As shown in FIG. 13, clicking on one of the hyperlinks inthe panel 808 opens a new window 1300 displaying contents identified bythe hyperlink.

Returning again to the dashboard 800 shown in FIG. 8, the user canselect a module via a pull-down list 824. For example, the user canselect “Reports”, in which case the system displays a window similar tothat shown in FIG. 14. After selecting one or more providers 1402 and1404, the system displays a report in a report panel 1406.

FIG. 15 illustrates another graphical display 1500, by which the systemcan display an alert. In the example of FIG. 15, two potential outbreaksof anthrax are shown. For each potential outbreak, the system displaysinformation, such as proximity of the outbreak to the nearestresidential area, as well as the population of the residential area,proximity to the nearest emergency medical center and the number of freebeds in the medical center. Being tied into existing hospital systems,the surveillance, monitoring and real-time events application can querythose hospital systems and display relevant information, as shown inFIG. 16.

Described herein are methods and apparatus meeting the above-mentionedobjects. It will be appreciated that the illustrated embodiment ismerely an example of the invention and that other embodiments,incorporating changes to those described herein, fall within the scopeof the invention. Thus, for example, as noted earlier, although theillustrated embodiment is adapted for use in public health &bioterrorism application (with additional examples provided with respectto border and port security) it will be appreciated that a similar suchsystems can be applied in public & community safety, and government dataintegration applications, described above, among others.

The invention claimed is:
 1. A digital data processing systemcomprising: query functionality to (i) apply requests to a plurality ofdata sources using an application program interface (“API”) associatedwith each of the data sources, wherein at least two of the plurality ofdata sources utilize different APIs, (ii) receive data from theplurality of data sources in response to the requests and to route thatdata to a data store, the data store to store the data from theplurality of data sources in the form of resource description framework(RDF) triples, where, in a directed graph representation, one or more ofthe triples are related to one or more others of the triples by any ofan ancestor and a descendant relationship, an expert engine, coupled toat least one member of a group consisting of (i) the plurality of datasources and the query functionality, to execute rules that operate onthe RDF triples to identify related data in the data store, the relateddata including data that match specified criteria or are relatedthereto, wherein the expert engine is configured to execute the rules toany of (a) trigger further execution of rules and (b) generate alerts;and a framework module, coupled to the expert engine, to provide data toallow display by one or more displays of information from the datastore, as well as one or more alerts resulting from anomalous situationswith respect thereto; wherein the system is configured to perform one ormore searches of the plurality of data sources to identify informationrelevant to the one or more alerts and wherein the data provided by theframework module allows display of the results of at least one member ofa group consisting of the one or more searches and links to the results.2. The digital data processing system of claim 1, wherein the rulesexecuted by the expert engine include rules to: (i) identify, asrelated, data substantially matching a criteria, and (ii) identify, asrelated, data that is a direct ancestor of data identified in any of (i)and (ii), and that is not in substantial conflict with the criteria. 3.The digital data processing system of claim 1, wherein the data providedby the framework module configures a dashboard to provide one or morereal-time displays of information from the data store.
 4. The digitaldata processing system of claim 1, wherein the data provided by theframework module allows display of a plurality of panels as a result ofthe one or more alerts.
 5. The digital data processing system of claim2, wherein the one or more real-time displays comprise a plurality ofpanels, and, as a result of the one or more alerts, the framework moduleprovides data to a dashboard to allow at least one member of a groupconsisting of (i) selection of one or more of the panels and (ii)creation of another panel that includes data from two or more of theplurality of data sources.
 6. The digital data processing system ofclaim 3, wherein the one or more real-time displays comprise a pluralityof panels, and, as a result of the one or more alerts, the frameworkmodule provides data to a dashboard to allow at least one member of agroup consisting of (i) selection of one or more of the panels and (ii)creation of another panel that includes data from two or more of theplurality of data sources, the two or more data sources being selectedbased on at least one member of a group consisting of (i) a rule and(ii) a heuristic that caused the one or more alerts to be issued.
 7. Thedigital data processing system of claim 1, wherein the plurality of datasources comprise network nodes at one or more clinical care providers,laboratories, governmental health departments, centers for diseasecontrol, and law enforcement offices.
 8. The digital data processingsystem of claim 1, wherein the query functionality comprises any of agraph generator, algorithmic search, and an expert engine.
 9. Thedigital data processing system of claim 1, wherein the plurality of datasources are compliant with a public health information network (PHIN)protocol, a health area network (HAN) protocol, National ElectronicDisease Surveillance System (NEDSS) protocol, or other protocol forcommunication of at least one member of a group consisting of: (i)health and (ii) bioterrorism data and wherein the query functionalityapplies requests to, and receives information from, one or more of theplurality of data sources utilizing an API or interface mechanismdictated by the PHIN, HAN or NEDSS or other protocol communication ofinformation used in communication of health and bioterrorism data. 10.The digital data processing system of claim 9, wherein the queryfunctionality applies SQL queries to selected ones of the plurality ofdata sources.
 11. The digital data processing system of claim 2, whereinthe criteria specifies a named relationship and a characteristic of thatnamed relationship, and wherein to identify, as related, includes tocompare at least one of the relationship and the characteristic named ina criteria with any of (a) attributes of the direct ancestor, and (b) arelationship between the direct ancestor and any data that descendstherefrom, in order to determine whether the director ancestor is insubstantial conflict with the criteria.
 12. The digital data processingsystem of claim 1, wherein the framework module generates data to allowdisplay of a border/port security display comprising a plurality ofpanels, a first of which displays information relating to at least oneof the one or more alerts, a second of which displays information from aparticular data source or an aggregation of data from several datasources, a third of which displays real-time data from a data sourcesuperimposed on a map of a locale.
 13. The digital data processingsystem of claim 11, wherein the framework module generates data to allowa dashboard to respond to a selected user input with respect to an itemdisplayed in one of the panels by displaying additional informationabout that item.
 14. The digital data processing system of claim 12,wherein the framework module generates data to allow a dashboard torespond to an alert by displaying a zoomed-in portion of a locale shownin one of the panels and wherein the system includes additionalfunctionality for alerting people, agencies or other entities of suchalert.
 15. The digital data processing system of claim 1, configured forany of border & port security, public & community safety, and governmentdata integration applications.
 16. A digital data processing systemcomprising: query functionality to (i) apply requests to a plurality ofdata sources using an application program interface (“API”) associatedwith each of the data sources, wherein at least two of the plurality ofdata sources utilize different APIs, (ii) receive data from theplurality of data sources in response to the requests and to route thatdata to a data store, the data store to store the data from theplurality of data sources in the form of resource description framework(RDF) triples, where, in a directed graph representation, one or more ofthe triples are related to one or more others of the triples by any ofan ancestor and a descendant relationship, an expert engine, coupled toat least member of a group consisting of (i) the plurality of datasources and the query functionality, to execute rules that operate onthe RDF triples to identify related data in the data store, the relateddata including data that match specified criteria or are relatedthereto, wherein the rules executed by the expert engine include rulesto: (i) identify, as related, data substantially matching a criteria,and (ii) identify, as related, data that is a direct ancestor of dataidentified in any of (i) and (ii), and that is not in substantialconflict with the criteria, wherein the expert engine is configured toexecute the rules to any of (a) trigger further execution of rules and(b) generate alerts; and, a framework module, coupled to the expertengine, to provide data to allow display by one or more displays ofinformation from the data store, as well as one or more alerts resultingfrom anomalous situations with respect thereto.
 17. The digital dataprocessing system of claim 16, wherein the system is configured toperform one or more searches of the plurality of data sources toidentify information relevant to the one or more alerts and provide datato display the results of at least one member of a groups consisting of:(i) the one or more searches and (ii) links to those results.
 18. Thedigital data processing system of claim 16, wherein the data provided bythe framework module configures a dashboard to provide one or morereal-time displays of information from the data store.
 19. The digitaldata processing system of claim 16, wherein the data provided by theframework module allows display of a plurality of panels as a result ofthe one or more alerts.
 20. The digital data processing system of claim18, wherein the one or more real-time displays comprise a plurality ofpanels, and, as a result of the one or more alerts, the framework moduleprovides data to a dashboard to allow at least one member of a groupconsisting of (i) selection of one or more of the panels and (ii)creation of another panel that includes data from two or more of theplurality of data sources.
 21. The digital data processing system ofclaim 18, wherein the one or more real-time displays comprise aplurality of panels, and, as a result of the one or more alerts, theframework module provides data to a dashboard to allow at least onemember of a group consisting of (i) selection of one or more of thepanels and (ii) creation of another panel that includes data from two ormore of the plurality of data sources, the two or more data sourcesbeing selected based on at least one member of a group consisting of (i)a rule and (ii) a heuristic that caused the one or more alerts to beissued.
 22. The digital data processing system of claim 16, wherein theplurality of data sources comprise network nodes at one or more clinicalcare providers, laboratories, governmental health departments, centersfor disease control, and law enforcement offices.
 23. The digital dataprocessing system of claim 16, wherein the query functionality comprisesany of a graph generator, algorithmic search, and an expert engine. 24.The digital data processing system of claim 16, wherein the plurality ofdata sources are compliant with a public health information network(PHIN) protocol, a health area network (HAN) protocol, NationalElectronic Disease Surveillance System (NEDSS) protocol, or otherprotocol for communication of health at least one member of a groupconsisting of: (i) health and (ii) bioterrorism data and wherein thequery functionality applies requests to, and receives information from,one or more of the plurality of data sources utilizing an API orinterface mechanism dictated by the PHIN, HAN or NEDSS or other protocolcommunication of information used in communication of health andbioterrorism data.
 25. The digital data processing system of claim 24,wherein the query functionality applies SQL queries to selected ones ofthe plurality of data sources.
 26. The digital data processing system ofclaim 17, wherein the criteria specifies a named relationship and acharacteristic of that named relationship, and wherein to identify, asrelated, includes to compare at least one of the relationship and thecharacteristic named in a criteria with any of (a) attributes of thedirect ancestor, and (b) a relationship between the direct ancestor andany data that descends therefrom, in order to determine whether thedirector ancestor is in substantial conflict with the criteria.
 27. Thedigital data processing system of claim 16, wherein the framework modulegenerates data to allow display of a border/port security displaycomprising a plurality of panels, a first of which displays informationrelating to at least one of the one or more alerts, a second of whichdisplays information from a particular data source or an aggregation ofdata from several data sources, a third of which displays real-time datafrom a data source superimposed on a map of a locale.
 28. The digitaldata processing system of claim 25, wherein the framework modulegenerates data to allow a dashboard to respond to a selected user inputwith respect to an item displayed in one of the panels by displayingadditional information about that item.
 29. The digital data processingsystem of claim 28, wherein the framework module generates data to allowa dashboard to respond to an alert by displaying a zoomed-in portion ofa locale shown in one of the panels and wherein the system includesadditional functionality for alerting people, agencies or other entitiesof such alert.
 30. The digital data processing system of claim 16,configured for any of border & port security, public & community safety,and government data integration applications.
 31. A digital dataprocessing system comprising: query functionality to (i) apply requeststo a plurality of data sources using an application program interface(“API”) associated with each of the data sources, wherein at least twoof the plurality of data sources utilize different APIs, (ii) receivedata from the plurality of data sources in response to the requests andto route that data to a data store, the data store to store the datafrom the plurality of data sources in the form of resource descriptionframework (RDF) triples, where, in a directed graph representation, oneor more of the triples are related to one or more others of the triplesby any of an ancestor and a descendant relationship, an expert engine,coupled to at least member of a group consisting of (i) the plurality ofdata sources and the query functionality, to execute rules that operateon the RDF triples to identify related data in the data store, therelated data including data that match specified criteria or are relatedthereto, wherein the rules executed by the expert engine include rulesto: (i) identify, as related, data substantially matching a criteria;(ii) identify, as related, data that is a direct ancestor of dataidentified in any of steps (i), (ii) and (iii), and that is not insubstantial conflict with the criteria, wherein step (iii) is set forthbelow; (iii) identify, as related, data (hereinafter “identifieddescendent”) that is a direct descendent of data (hereinafter“identified ancestor”) identified as related in any of steps (i), (ii)and (iii), and which identified descendent: (a) does not have a namedrelationship with the identified ancestor substantially matching arelationship named in the criteria, if any; (b) is not in substantialconflict with the criteria; and (c) does not have a named relationshipwith the identified ancestor matching a relationship the identifiedancestor has with data, if any, as a result of which the identifiedancestor was identified during execution of (ii), wherein the expertengine is configured to execute the rules to any of (a) trigger furtherexecution of rules and (b) generate alerts; and, a framework module,coupled to the expert engine, to provide data to allow display by one ormore displays of information from the data store, as well as one or morealerts resulting from anomalous situations with respect thereto; whereinthe system is configured to perform one or more searches of theplurality of data sources to identify information relevant to the one ormore alerts and provide data to display the results of at least onemember of a groups consisting of: (i) the one or more searches and (ii)links to those results.
 32. The digital data processing system of claim31, wherein the criteria specifies a named relationship and acharacteristic of that named relationship, and wherein to identify, asrelated, includes to compare at least one of the relationship and thecharacteristic named in a criteria with any of (a) attributes of thedirect ancestor, and (b) a relationship between the direct ancestor andany data that descends therefrom, in order to determine whether thedirector ancestor is in substantial conflict with the criteria.
 33. Thedigital data processing system of claim 31, wherein the plurality ofdata sources comprise network nodes at one or more clinical careproviders, laboratories, governmental health departments, centers fordisease control, and law enforcement offices.
 34. The digital dataprocessing system of claim 31, wherein the data provided by theframework module configures a dashboard to provide one or more real-timedisplays of information from the data store.